In the following tutorial, I will explain how to set up a PPTP VPN server on RHEL/CentOS 5, so that you can use it to browse the internet. So, if you have a RHEL/CentOS 5 dedicated server in US, you will be able to access US only sites.
A set up like this also has other benefits. Since the connection between the server and your computer will be encrypted, your ISP wont be able to intercept or track your internet usage.
Installation and Configuration
Ok, so lets get started. First make sure that you have ppp installed.
yum install ppp
In my case it was already installed, so I got the message ‘Package ppp – 2.4.4-1.el5.x86_64 is already installed’.
After you make sure that you have ppp installed, download and install Poptop. You can get the RHEL/CentOS 5 RPMs from http://poptop.sourceforge.net/yum/stable/rhel5/. I was using 64 bit version of CentOS 5. So I downloaded and installed the 64 bit (x86_64) version of the RPM.
rpm -ivh pptpd-1.3.4-1.rhel5.1.x86_64.rpm
After installing Poptop, open the file /etc/pptpd.conf.
Go to the end of the file where you can see examples of localip and remoteip. Below them add your own values for localip and remoteip.
In the above, 10.0.0.1 will be used for the ppp interface and 10.0.0.10 – 10.0.0.100 will be assigned to the clients. You can also use different private IPs in ‘localip’ and ‘remoteip’, like 10.20.26.1 and 10.20.26.10-100. The OpenVPN documentation has some good info about numbering private subnets. Click here to check it out.
Next, open the file /etc/ppp/options.pptpd.
Uncomment the ms-dns lines (by removing the ‘#’ in front of them) and change them to the dns servers provided by your ISP or to public DNS servers like ones provided by OpenDNS.
Thats all you need to change in the options.pptpd file. Next you will need to edit the file /etc/ppp/chap-secrets to add usernames and passwords for your clients. You need to enter the usernames and passwords in the following format.
# Secrets for authentication using CHAP
# client server secret IP addresses
username pptpd password *
username2 pptpd password2 *
You can also put a * in place of ‘pptpd’ just like there is a * below ‘IP addresses’. Also instead of a * below ‘IP addresses’ you can put the IP address from which the client will be connecting.
IP Forwarding and Firewall Rules
Now we need to enable IP forwarding. So open the file /etc/sysctl.conf and set ‘net.ipv4.ip_forward’ to 1.
net.ipv4.ip_forward = 1
To make the changes to sysctl.conf take effect, use the following command.
Or you can also use the following command to enable IP forwarding temporarily.
echo 1 > /proc/sys/net/ipv4/ip_forward
Next, configure iptables to do NAT.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Next, we need to allow TCP port 1723 and the GRE protocol through iptables.
iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT
The following iptables rules are necessary if you want to be able to route all your internet traffic through the VPN server.
iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT
Now start the PPTP server if you haven’t already.
service pptpd start
If you followed the above steps correctly, the PPTP server should now be ready for use.
In case you are unable to connect to the VPN, check out the following Microsoft knowledge base article. It has some good troubleshooting tips.
If you are unable to browse certain sites through the VPN, you may need to change the MTU of the ppp interface. To do this open the /etc/ppp/ip-up file and just before the last line, add the following line.
/sbin/ifconfig $1 mtu 1400
Save the file after that and then restart the PPTP server.
service pptpd restart
In my case the ppp interface was being assigned 1396 as the MTU. Due to which I was unable to browse some sites. After changing MTU to 1400, the problem went away.
I initially used PPTP since the site Relakks.com uses the same. But due to poor performance I have now switched to OpenVPN instead. If you are not satisfied with PPTP you should try OpenVPN. You will find excellent documentation on their website.
Anyway, I hope you have found the above tutorial useful. 🙂
Hi, I’ve got a Red Hat Enterprise Linux Server release 5.1 over a i386, I do all you say but when I try to connect to my server I’ve got a 619 error in a windows xp, Do you know what can be wrong?
Hi, check out the following microsoft knowledge base article. http://support.microsoft.com/kb/227747/
It might have solution to your problem. 🙂
Thank you, all is working, the problem was is my ISP no my server, excelent article!
You Rock anindya!
Great tutorial; but I cannot connect to my VPN. I enter my server’s IP address as my host name, but it doesn’t connect. I don’t even see the authentication. I think it has something to do with open ports or so but I did everything according to your tutorial. Thanks in advance
If you are using a firewall on the client computer, make sure that it is configured to allow PPTP.
Also make sure that “PPTP passthrough” is enabled in your router. Check the following screen shot to see what I mean. http://img156.imageshack.us/img156/818/1282009112514ampq2.png.
Hi, i have vista home and have a vpn connection in centos, now sometimes the connection works perfect but sometimes it just dont get connected.. i have to restart the server pc and then it work and then sometime later start playing up. please tell me what can i be doing wrong…
I have no idea why that happens. It used to happen to me too. I experienced some other problems too with PPTP which is why I have switched to OpenVPN.
If you are experiencing problems with PPTP, try OpenVPN.
I did exactly as you wrote.. but I can`t connect from Vista to CentOS 🙁
Can anybody add me to MSN, maybe?
If you are using a router, make sure that it supports PPTP passthrough and that it is enabled.
When i try to install the pptpGUI i get issues with libglade.so and libxml.so and cannot process php4. Any ideas? it is driving me mad!!!
Great Tutorial !
Would be great if you can publish just like this tutorial one but for OpenVPN.
Sorry, I can’t help you. I am not familiar with pptpGUI and have no idea what relation it has with php 4. 🙁
Maybe I will publish a tutorial for OpenVPN too. 🙂
I have Centos 5. I got this error:
“This system lacks kernel support for PPP. This could be because
the PPP kernel module could not be loaded, or because PPP was not
included in the kernel configuration. If PPP was included as a
module, try `/sbin/modprobe -v ppp’. If that fails, check that
ppp.o exists in /lib/modules/`uname -r`/net.
See README.linux file in the ppp distribution for more details.”
That error message is pretty straight forward.
You are most likely using a virtual private server which is why your kernel doesn’t have PPP support. Also, on most virtual private servers, its not possible for the users to rebuild the kernel. If in your case, it is possible to rebuild the kernel, then follow the instructions found on this page to rebuild your kernel. You can enable PPP from the menu that appears after you use the “make menuconfig” command.
Usually, you wont come across this problem in a dedicated server.
With PPP you can use the inbuilt client support within NT,XP,Vista etc, but with OpenVPN you have to install a client, or can OpenVPN support pptp connections also?
Yes, in case of OpenVPN you have to install the client. And no, OpenVPN doesn’t support PPTP.
Anindya can i use mine VPS server as PPTP server, do i need router to setup PPTP VPN , is there any way in which VPN can be setup without router. Thanks and reply me asap.
I already connected to linux vpn server from windows vpn client but can’t browsing internet,let me know what cause this ??
i try to run this step :
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
but i got error how can i remove this problem ?
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables: Unknown error 4294967295
Are you using a VPS?
If yes, then most likely the iptables module ‘iptable_nat’ is not available. Usually virtual private servers have lot of stuff disabled, so that they don’t use too much system resources. I suggest that you contact your VPS provider for help with this problem.
do you have any yahoo or skype for live chat? if yes please email me
also i have error 619 when i try connect to vpn via my user and password on windows
You still haven’t mentioned whether you are using a virtual private server or not. If you are using a virtual private server, then its very likely that you wont be able to solve the iptables problem yourself. You will have to contact your service provider.
As for the ‘error 619’ problem, please check out this microsoft kb http://support.microsoft.com/kb/227747/.
Also, I recommend that you use OpenVPN instead of PPTP.
i have VPS with Centos 5 as operation system , about PPTP , i want to use IBSng for accounting also my windows clients can access to my vpn without problem and with simple windows connection
@Anindya: i have disabled the iptables on my vps completely as i don’t want to be bothered with this port thingy. but still, i can’t connect to via vpn and it says error 619. could it be because the admin closed the vpn port?
You need to have iptables enabled. It is iptables that handles the forwarding and NAT. Without those iptables rules you wont be able to route your internet traffic through the VPN. But you should still be able to connect to it.
If you are unable to connect to the vpn and getting error 619, check out the microsoft kb article that I have linked to in one of my comments.
nice blog entries , i have tired this vpn server & am able to connect to the server but not able to access the internet . maybe its a routing issue.or fw related. what should be the local , the remote ip in my case .. server config & client are HERE http://pastebin.ca/1642753
am using dedicated server rhel.
Thank youu Anindya
Since you are using a dedicated server, you can follow this tutorial step by step. You can use same local and remote ip as the one I have used in this tutorial or you can use other private subnets.
I see that you have a public ip address in your ifcfg-eth1 file and not the ifcfg-eth0 file. If you are using eth1 as the public interface, you should replace eth0 in the iptables rules mentioned in this post with eth1.
Example: iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
it wassss the apf firewall fault , not mine ;o thank you Anindya for you quick assistance.
pptpd & internet are up and running but am getting the half connection speed when using pptp.
any suggestions ;|
Switch to OpenVPN. Thats what I did. 😀
i am using Red Hat Enterprise Linux Server release 5.4 and PPTPD release installed pptpd-1.3.0-0 but when i am try to register on PPTPD i am getting below mention error,
same PPTPD is working on another system but it is not working on this system.
Please let me know why i am getting this error. in configuration i have tried all above mention options.
(Oct 30 12:02:18 server16 pptpd: CTRL: Client 126.96.36.199 control connection started
Oct 30 12:02:18 server16 pptpd: CTRL: Starting call (launching pppd, opening GRE)
Oct 30 12:02:18 server16 pppd: Plugin /usr/lib/pptpd/pptpd-logwtmp.so is for pppd version 2.4.3, this is 2.4.4
Oct 30 12:02:18 server16 pptpd: GRE: read(fd=6,buffer=804fa20,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
Oct 30 12:02:18 server16 pptpd: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
Oct 30 12:02:18 server16 pptpd: CTRL: Client 188.8.131.52 control connection finished)
Try removing pptpd and installing the latest version, that is version 1.3.4.
Here are download links for both 32 bit and 64 bit rpms.
Any idea on how to configure APF to allow pptpd to run?
APF just controls iptables, so the iptables rules listed on this page should work fine for you. Also, you can put the iptables rules in the /etc/apf/postroute.rules file and APF will execute them automatically when it starts.
It was a great guide you posted on configuring a vpn server, But I am having few issues. 1 is it takes sometime to connect, 2nd is if i am able to connect i am able to browse for like 5 minutes, and then i loose connectivity. Any ideas as to what might be causing this?
I also get the 619 error when trying to connect using Win XP. I installed the Poptop on VPS server (CentOS 5) using this guide. It seems that there are always issues on VPS servers.
Then I installed poptop on normal CentOS (not using CentOS) and I didn’t have any problems. It works like a charm.
Thanks, it is great tutorial.
I meant when I’m not using VPS it works great. My bad 🙂
Sorry, I have no idea what might be causing the issues you are having. 🙁 You should try connecting to the VPN using a different computer and from a different network and if you see that you are still having the same issues, then the problem is most likely with the server. If not, then it could be a problem with your client computer or network.
Virtual private server’s usually have many things disabled that are required for pptp, which is why others have had problems with VPSs too.
Anyway, I am glad you found this tutorial useful. 🙂
I have created a VPN without problems and I can connect, but I cannot browse the web on my Windows machine. I checked and for some reason the VPN does not allocate a Gateway… could that be the issue?
On my iPhone I can browse through the VPN with no problem.
Tnx! been looking for solution to my vpn problem till I found your site, whew! its been 2 weeks. Tnx much!
thank you! worked for me 🙂
[root@abc ~]# service pptpd restart
Shutting down pptpd: [失敗]
Starting pptpd: /etc/host.conf: line 1: bad command `127.0.0.1 localhost.localdomain localhost’
Warning: a pptpd restart does not terminate existing
connections, so new connections may be assigned the same IP
address and cause unexpected results. Use restart-kill to
destroy existing connections during a restart.
When I run the iptables commands to allow the port and do NAT I don’t get any errors, but changes never take effect. Any ideas?
@lin and @bisteck
You guys should try googling if you haven’t already. 😉
Thank you for your wonderful article.
I have APF and OpenVPN installed on my CentOS box. APF was installed a while back whereas OpenVPN was added recently.
As you may already know, apf restarts itself periodically if BFD is activated (since it adds new IPs to its block list).
We are unable to connect to the VPN and noticed that it works only when OpenVPN is restarted after the last apf restart. Thats when I googled it and reached this page. I can see that this has to do with the postroute rules but just cant figure out how to do it.
Here is my observation :
1) apf is off : works fine.
2) apf is on : stops working
3) with the above condition, if I restart openvpn : works fine.
4) with the above condition if i restart apf : stops working
Thus in summary, the last restart is that of openvpn, things work. If apf starts after openvpn, it doesnt.
Can you please help.
My gmail id is email@example.com in case you want to catch me online (I am usually online all day).
That is weird behavior indeed. I don’t understand how restarting OpenVPN can affect apf or iptables rules.
Anyway, you should give CSF a try. It shouldn’t take too long to install and configure it. It has LFD (login failure daemon) which is similar to apf’s BFD but csf doesn’t restart when new IPs are blocked by lfd.
I had followed your above procedue. However it doesn’t seems to be creating neither the daemon or pptpd.conf file. I had used to create ppp using yum followed by pptpd .
Please let me know your thoughts.
I had a package not installed after which it started working. However when trying to connect now using the vpn client , the logs indicate the following error
pptpd: CTRL: Starting call (launching pppd, opening GRE)
pppd: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
pppd: pppd 2.4.4 started by root, uid 0
pppd: Using interface ppp0
pppd: Connect: ppp0 /dev/pts/7
pppd: MPPE required but peer negotiation failed
pppd: Connection terminated.
pppd: Connect time 0.1 minutes.
pppd: Sent 10 bytes, received 15 bytes.
pptpd: GRE: read(fd=6,buffer=8059680,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
Please let me know your thoughts.
Sorry for the late reply Thomas. I hope you have managed to solve your problem by now. If not, have a look at this – http://pptpclient.sourceforge.net/howto-diagnosis.phtml#mppe_rbpnf .
Also, in my opinion its best to use OpenVPN, especially if the client computers aren’t running Windows.
Oh man! Thanks a lot! After several hours of trying to configure OpenVPN this article is something! PPTD works just fine! Please, can I repost it?
You are welcome. 😀
And yes, you can repost this tutorial as long as you link back to it. 🙂 http://creativecommons.org/licenses/by-nc/3.0/
Nice guid thanks , Take care
You’re welcome. 🙂
I’ve installed the VPN with this tutorial and it was working fine,but after I restarted my VPS a couple of days ago it is not working any more.I get the error 809.
I tried stopping the firewall,adding the rules again to the iptables but it is not working.
Have you tried the obvious and checked whether pptpd is running? It may not have started automatically after you restarted your VPS. To make it start automatically after reboots, use the command “chkconfig pptpd on”.
Thanks for the nice guide ! I went through the guide and did everything step by step. everything is fine, clients can connect to the vpn server and they can ping local machines, but internet does not go through the vpn connection unless i uncheck the default gateway option on my client machine which is not what i want. I want my clients to get my server’s ip address. my server is behind a router (router’s ip : 192.168.0.1 | server’s local ip: 192.168.0.100) so i used localip 192.168.0.100
& remoteip 192.168.0.234-238 in pptpd.conf. it think that there is something wrong with routing, because it seems that DNS works .. when i try to browse a website my browser says “Waiting for xxxxx.com…” and it stays like that forever ! the funny part is that google.com works fine ! don’t know how 🙂 I would really appreciate if you can help me with this issue. Thanks
Did you try changing the MTU to 1400 as I mentioned in the troubleshooting section? That should most likely fix the problem you are describing. 😀
dude ! you are the best ! 😀
Hi, I receiving this error when I iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables: Unknown error 18446744073709551615
Are you using a VPS? If yes, then the ipt_MASQUERADE module is most likely disabled. So, try the following instead.
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j SNAT --to 184.108.40.206
Change 220.127.116.11 to the public IP address of your server.
yes I’m using VPS, i try this command and this time no error but when I try to connect From my windows, I get this error 807
I don’t think that error message has any relation to that iptables rule. If you have a firewall installed on your PC, make sure that it allows the GRE protocol. Also, if you are using a router, make sure PPTP passthrough is enabled in it.
I can connect to my other VPN server (windows server) and it’s working, but I cant connect to this new one. so I don’t think it’s problem with my computer. any idea?
in ms-dns setup I put my VPS ip address. is that ok?
Is your other VPN also a PPTP VPN? Also, what did you use for “localip” and “remoteip”?
In ms-dns you are supposed to either use the dns servers used by your VPS (you can find them in /etc/resolv.conf) or public dns servers like OpenDNS or Google Public DNS.
Make sure you have followed all the steps correctly and that everything is up and running in your server.
I reset the re-imaged the server and setup it again step-by-step but still it doesn’t work and can’t figure out what is the problem!!
my VPS is using Parallels Power Panel. at first when the firewall was off I received error 619 but when I activate the firewall in normal mode I got error 807??
yes my other VPN is PPTP and it’s a dedicated server.
Sorry for the late reply.
I think you are having trouble because it’s a VPS. You should use a dedicated server if you really want to use PPTP. Otherwise you can try OpenVPN which works fine on virtual private servers as long as the tun module is enabled.
I think I should do that, tnx for your help!
Is it possible to use MySQL to store username and password instead of chap-secret?
so i could use my billing program….
Sorry for the late reply. I am not sure if it’s possible to directly use MySQL to store usernames and passwords but you can use RADIUS authentication with FreeRADIUS, which can use MySQL to store usernames and passwords. Have a look at the following.
Thanks for being so helpful to your readers. My setup is using the CSF firewall, and i have followed your intructions for IP Forwarding and Firewall Rules. I tried putting those rules in the file csfpre.sh
and also tried csfpost.sh, and made them executable. But with the CSF firewall on the LAN does not get internet, but when i stop CSF the LAN can browse, after i run the rules manually. Also when i run only the csfpost.sh script on its own the network clients are able browse. Everything else is working fine.
anindya… I followed your instructions exactly but cannot seem to start pptpd.
Do you know why it won’t start? It just gets stuck on
but doesn’t do anything else.
Also can you have openvpn and pptpd installed on the same server? Thanks.
You can add the TCP port 1723 in the TCP_IN configuration option of CSF. Rest of the rules you can add in the csfpost.sh file as shown below.
$IPT -A INPUT -i eth0 -p gre -j ACCEPT
$IPT -A FORWARD -i ppp+ -o eth0 -j ACCEPT
$IPT -A FORWARD -i eth0 -o ppp+ -j ACCEPT
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Are you using a VPS? If yes, then the VPS most likely does not support pptpd which is why it’s not starting. If you are using a dedicated server, make sure you have configured it correctly.
And yes, it should be possible to have openvpn and pptpd installed on the same server.
I config a pptp server on my vps using your manual. it works good. but recently it’s work in bad shape! when I connect to the server it disconnect me automatically in just few second! what’s the problem? do you have any idea to resolve it?
Sorry, I have no idea what the problem could be. It is because of problems like this that I don’t use pptp. If you are unable to figure out what the problem is, I recommend that you give OpenVPN a try.
I already connected to linux vpn server from windows vpn client but can’t browsing internet,let me know what cause this ??
Sorry for the late reply. I hope you were able to solve your problem by now. If not, make sure that you followed all the steps correctly, in the “IP Forwarding and Firewall Rules” section.
VPN connection is eastablished successfully but after connecting to VPN .. i am not able to access vmware workstation IPs..
whats is the solution to this problem.?
Followed this guide and I’m getting ”
Unable to obtain Session ID from sitehere.com:1723: XML-RPC: None.
Any ideas ?
Nice article, consise and too the point. Often the problem with doing things in Linux is just getting started, getting the simplest configuration and starting from there.
This artice did this, which is a good thing.
@Aziz and @n0rbertt
Sorry for the later reply. Unfortunately, I have never encountered the issues that you guys mentioned and so I have no idea how to solve them. 🙁
But I do hope that by now you guys have managed to solve your problems yourselves. 😀
Can you provide me which version of CentOS + Kernel+PPP+PPTP versions are you using?
I am no longer using PPTP. I use OpenVPN now. But when I wrote this tutorial I was using CentOS 5 and the pptpd version I was using is mentioned in the tutorial (1.3.4). i do not remember the kernel or ppp versions that I was using.
By the way, this tutorial will not work on most virtual private servers. And VPS providers will usually advertise PPTP support if it is supported by their VPSs.
an OpenVPN tutorial wil be welcome:D
Hi there, excellent tutorial! However, just getting a small issue that I can’t quite figure out. I’m able to connect to the VPN server fine, but once I am connected I don’t seem to be able to browse the internet at all. I double checked my iptables and they seem correct: http://pix.cm/s/2011-10-12_03-18-11.png
Also for the options.pptpd file I used Google DNS for my DNS servers, but I tried other ones as well and that didn’t change the situation.
I’m wondering if perhaps the IP address settings here might be incorrect? http://pix.cm/s/2011-10-12_03-20-18.png
If you could just point me in the right direction, that would be greatly appreciated, or at least what to look over for potential errors as I’m not being given any sort of errors and have no idea how to begin to troubleshoot this.
Sorry for the late reply. The “IP addresses for server end of connection” in the second screenshot is also supposed to be a private IP like 192.168.1.1. If you were following this tutorial, maybe you should have manually edited /etc/pptpd.conf instead of using webmin to configure pptpd.
Once again, I apologize for the late reply. 😀
I have installed PPTPd on Centos 5.6 and clients are connecting from windows XP. it was working fine , now from last 1 week My sessions are disconnecting after some time. I tried installing fresh pptpd but the issue is still there. Now i did capture PPP packets on client machines by Wireshark and got to know that when the disconnection occurs the PPP LCP protocol is showing Protocol reject messages where destination is the client IP. Any body encountered the same problem please share the solution.
Thank you for such a wonderful tutorial. Unfortunately, i’m having troubles.
I’ve followed the tutorial well and i’m able to establish a connection successfully but i can’t browse any site or anything via the VPN. Can you please tell what’s wrong with it? Thanks
Sorry for the late reply. The problem you mentioned usually happens when IP forwarding isn’t enabled or iptables isn’t configured correctly. I hope you have figured it out by now.
Hi, this looks like a great guide! Was wondering if you can help me, I’ve been spoiled with all my other servers being on windows server 2008 so it was always very simple. I’ve never used cent before so I have no clue of how to even begin to connect to my new dedicated server I just bought with CentOS 6 and CPANEL.
I run a vpn company and on all my other servers i use windows but now i want to learn how to use cent so i can use cpanel and automate alot of tasks.
Before I followed this guide above for all my servers, so I guess my main questions are:
1) What is the best remote desktop alternative for CentOS because I can’t do these commands directly from cpanel right?
2) My dedicated servers for example have around 60 unique ip addresses each, and normally when a user buys my service I simply go to remote desktop and give them a username and password and one unique ip address, how would I do this for centos?
THANK YOU SO MUCH FOR YOUR HELP!!!
Hey, thanks for the how-to.
I’ve also written a script that automates the PPTP VPN installation on CentOS 6 if you want to check it out: